diff --git a/main/src/com/google/refine/importing/ImportingUtilities.java b/main/src/com/google/refine/importing/ImportingUtilities.java
index 922141c352c9..65762fb88318 100644
--- a/main/src/com/google/refine/importing/ImportingUtilities.java
+++ b/main/src/com/google/refine/importing/ImportingUtilities.java
@@ -439,7 +439,11 @@ static public File allocateFile(File dir, String name) {
             name = name.substring(0, q);
         }
         
-        File file = new File(dir, name);
+        File file = new File(dir, name);     
+        // For CVE-2018-19859, issue #1840
+        if (!file.toPath().normalize().startsWith(dir.toPath().normalize())) {
+        	throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
+        }
         
         int dot = name.indexOf('.');
         String prefix = dot < 0 ? name : name.substring(0, dot);
diff --git a/main/tests/server/src/com/google/refine/tests/importing/ImportingUtilitiesTests.java b/main/tests/server/src/com/google/refine/tests/importing/ImportingUtilitiesTests.java
new file mode 100644
index 000000000000..b577d3aa41eb
--- /dev/null
+++ b/main/tests/server/src/com/google/refine/tests/importing/ImportingUtilitiesTests.java
@@ -0,0 +1,56 @@
+
+package com.google.refine.tests.importing;
+
+import java.util.LinkedList;
+
+import org.testng.Assert;
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import com.fasterxml.jackson.databind.node.ArrayNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import com.google.refine.ProjectMetadata;
+import com.google.refine.importers.tree.TreeImportingParserBase;
+import com.google.refine.importing.ImportingJob;
+import com.google.refine.importing.ImportingUtilities;
+import com.google.refine.tests.importers.ImporterTest;
+import com.google.refine.util.JSONUtilities;
+import com.google.refine.util.ParsingUtilities;
+
+public class ImportingUtilitiesTests extends ImporterTest {
+
+    @Override
+    @BeforeMethod
+    public void setUp(){
+        super.setUp();
+    }
+    
+    @Test
+    public void createProjectMetadataTest()
+            throws Exception {
+        ObjectNode optionObj = ParsingUtilities.evaluateJsonStringToObjectNode(
+                "{\"projectName\":\"acme\",\"projectTags\":[],\"created\":\"2017-12-18T13:28:40.659\",\"modified\":\"2017-12-20T09:28:06.654\",\"creator\":\"\",\"contributors\":\"\",\"subject\":\"\",\"description\":\"\",\"rowCount\":50,\"customMetadata\":{}}");
+        ProjectMetadata pm = ImportingUtilities.createProjectMetadata(optionObj);
+        Assert.assertEquals(pm.getName(), "acme");
+        Assert.assertEquals(pm.getEncoding(), "UTF-8");
+        Assert.assertTrue(pm.getTags().length == 0);
+    }
+    
+    @Test(expectedExceptions=IllegalArgumentException.class)
+    public void testZipSlip() {
+        // For CVE-2018-19859, issue #1840
+    	ImportingUtilities.allocateFile(workspaceDir, "../../script.sh");
+    }
+    
+    private ObjectNode getNestedOptions(ImportingJob job, TreeImportingParserBase parser) {
+        ObjectNode options = parser.createParserUIInitializationData(
+                job, new LinkedList<>(), "text/json");
+        
+        ArrayNode path = ParsingUtilities.mapper.createArrayNode();
+        path.add("results");
+        path.add("result");
+        
+        JSONUtilities.safePut(options, "recordPath", path);
+        return options;
+    }
+}